#! /usr/bin/python -E # Authors: Karl MacMillan # # Copyright (C) 2007 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import sys import logging, tempfile, shutil, os, pwd import traceback from ConfigParser import SafeConfigParser import krbV from optparse import OptionParser import ipapython.config from ipapython import ipautil from ipaserver.install import dsinstance, installutils, certs, httpinstance from ipaserver import ipaldap from ipapython import version from ipalib.constants import DEFAULT_CONFIG from ipalib import api import ldap def parse_options(): usage = "%prog [options] FQDN (e.g. replica.example.com)" parser = OptionParser(usage=usage, version=version.VERSION) parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", help="install certificate for the directory server") parser.add_option("--http_pkcs12", dest="http_pkcs12", help="install certificate for the http server") parser.add_option("--dirsrv_pin", dest="dirsrv_pin", help="PIN for the Directory Server PKCS#12 file") parser.add_option("--http_pin", dest="http_pin", help="PIN for the Apache Server PKCS#12 file") parser.add_option("-p", "--password", dest="password", help="Directory Manager (existing master) password") ipapython.config.add_standard_options(parser) options, args = parser.parse_args() # If any of the PKCS#12 options are selected, all are required. Create a # list of the options and count it to enforce that all are required without # having a huge set of it blocks. pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin] cnt = pkcs12.count(None) if cnt > 0 and cnt < 4: parser.error("error: All PKCS#12 options are required if any are used.") if len(args) != 1: parser.error("must provide the fully-qualified name of the replica") ipapython.config.init_config(options) return options, args def get_host_name(): hostname = installutils.get_fqdn() try: installutils.verify_fqdn(hostname) except RuntimeError, e: logging.error(str(e)) sys.exit(1) return hostname def get_realm_name(): try: c = krbV.default_context() return c.default_realm except Exception, e: return None def get_domain_name(): try: ipapython.config.init_config() domain_name = ipapython.config.config.get_domain() except Exception, e: return None return domain_name def check_ipa_configuration(realm_name): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) if not ipautil.dir_exists(config_dir): logging.error("could not find directory instance: %s" % config_dir) sys.exit(1) def export_certdb(realm_name, ds_dir, dir, passwd_fname, fname, hostname): """realm is the kerberos realm for the IPA server. ds_dir is the location of the master DS we are creating a replica for. dir is the location of the files for the replica we are creating. passwd_fname is the file containing the PKCS#12 password fname is the filename of the PKCS#12 file for this cert (minus the .p12). hostname is the FQDN of the server we're creating a cert for. The subject is handled by certs.CertDB:create_server_cert() """ try: self_signed = certs.ipa_self_signed() db = certs.CertDB(dir) db.create_passwd_file() # if self_signed: # ca_db = certs.CertDB(dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name))) # db.create_from_cacert(ca_db.cacert_fname) # else: # ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) ca_db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert("Server-Cert", hostname, ca_db) except Exception, e: raise e pkcs12_fname = dir + "/" + fname + ".p12" try: db.export_pkcs12(pkcs12_fname, passwd_fname, "Server-Cert") except ipautil.CalledProcessError, e: print "error exporting Server certificate: " + str(e) remove_file(pkcs12_fname) remove_file(passwd_fname) remove_file(dir + "/cert8.db") remove_file(dir + "/key3.db") remove_file(dir + "/secmod.db") remove_file(dir + "/noise.txt") if ipautil.file_exists(passwd_fname + ".orig"): remove_file(passwd_fname + ".orig") def export_ra_pkcs12(dir, dm_password): """ dir is the location of the files for the replica we are creating. dm_password is the Directory Manager password If this install is using dogtag/RHCS then export the RA certificate. """ if certs.ipa_self_signed(): return (agent_fd, agent_name) = tempfile.mkstemp() os.write(agent_fd, dm_password) os.close(agent_fd) try: try: db = certs.CertDB(httpinstance.NSS_DIR, host_name=get_host_name()) if db.has_nickname("ipaCert"): pkcs12_fname = "%s/ra.p12" % dir db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") except Exception, e: raise e finally: os.remove(agent_name) def get_ds_user(ds_dir): uid = os.stat(ds_dir).st_uid user = pwd.getpwuid(uid)[0] return user def save_config(dir, realm_name, host_name, ds_user, domain_name, dest_host): config = SafeConfigParser() config.add_section("realm") config.set("realm", "realm_name", realm_name) config.set("realm", "master_host_name", host_name) config.set("realm", "ds_user", ds_user) config.set("realm", "domain_name", domain_name) config.set("realm", "destination_host", dest_host) fd = open(dir + "/realm_info", "w") config.write(fd) def remove_file(fname, ignore_errors=True): try: os.remove(fname) except OSError, e: if not ignore_errors: raise e def copy_files(realm_name, dir): config_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) try: shutil.copy("/var/kerberos/krb5kdc/ldappwd", dir + "/ldappwd") shutil.copy("/var/kerberos/krb5kdc/kpasswd.keytab", dir + "/kpasswd.keytab") shutil.copy("/usr/share/ipa/html/ca.crt", dir + "/ca.crt") if ipautil.file_exists("/usr/share/ipa/html/preferences.html"): shutil.copy("/usr/share/ipa/html/preferences.html", dir + "/preferences.html") shutil.copy("/usr/share/ipa/html/configure.jar", dir + "/configure.jar") except Exception, e: print "error copying files: " + str(e) sys.exit(1) def get_dirman_password(): return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False) def main(): options, args = parse_options() replica_fqdn = args[0] # Just initialize the environment. This is so the installer can have # access to the plugin environment api.env._bootstrap() api.env._finalize_core(**dict(DEFAULT_CONFIG)) if not certs.ipa_self_signed() and not ipautil.file_exists("/var/lib/pki-ca/conf/CS.cfg") and not options.dirsrv_pin: sys.exit("The replica must be created on the primary IPA server.\nIf you installed IPA with your own certificates using PKCS#12 files you must provide PKCS#12 files for any replicas you create as well.") print "Determining current realm name" realm_name = get_realm_name() if realm_name is None: print "Unable to determine default realm" sys.exit(1) check_ipa_configuration(realm_name) print "Getting domain name from LDAP" domain_name = get_domain_name() if domain_name is None: print "Unable to determine LDAP default domain" sys.exit(1) host_name = get_host_name() if host_name == replica_fqdn: print "You can't create a replica on itself" sys.exit(1) ds_dir = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm_name)) ds_user = get_ds_user(ds_dir) # get the directory manager password dirman_password = options.password if not options.password: try: dirman_password = get_dirman_password() except KeyboardInterrupt: sys.exit(0) # Try out the password try: conn = ipaldap.IPAdmin(host_name) conn.do_simple_bind(bindpw=dirman_password) conn.unbind() except ldap.CONNECT_ERROR, e: sys.exit("\nUnable to connect to LDAP server %s" % host_name) except ldap.SERVER_DOWN, e: sys.exit("\nUnable to connect to LDAP server %s" % host_name) except ldap.INVALID_CREDENTIALS, e : sys.exit("\nThe password provided is incorrect for LDAP server %s" % host_name) print "Preparing replica for %s from %s" % (replica_fqdn, host_name) top_dir = tempfile.mkdtemp("ipa") dir = top_dir + "/realm_info" os.mkdir(dir, 0700) if options.dirsrv_pin: passwd = options.dirsrv_pin else: passwd = "" passwd_fname = dir + "/dirsrv_pin.txt" fd = open(passwd_fname, "w") fd.write("%s\n" % passwd) fd.close() if options.dirsrv_pkcs12: print "Copying SSL certificate for the Directory Server from %s" % options.dirsrv_pkcs12 try: shutil.copy(options.dirsrv_pkcs12, dir + "/dscert.p12") except IOError, e: print "Copy failed %s" % e sys.exit(1) else: try: if not certs.ipa_self_signed(): # FIXME, need option for location of CA backup if ipautil.file_exists("/root/tmp-ca.p12"): shutil.copy("/root/tmp-ca.p12", dir + "/ca.p12") else: raise RuntimeError("Root CA PKCS#12 not found in /root/tmp-ca.p12") except IOError, e: print "Copy failed %s" % e sys.exit(1) print "Creating SSL certificate for the Directory Server" export_certdb(realm_name, ds_dir, dir, passwd_fname, "dscert", replica_fqdn) if options.http_pin: passwd = options.http_pin else: passwd = "" passwd_fname = dir + "/http_pin.txt" fd = open(passwd_fname, "w") fd.write("%s\n" % passwd) fd.close() if options.http_pkcs12: print "Copying SSL certificate for the Web Server from %s" % options.http_pkcs12 try: shutil.copy(options.http_pkcs12, dir + "/httpcert.p12") except IOError, e: print "Copy failed %s" % e sys.exit(1) else: print "Creating SSL certificate for the Web Server" export_certdb(realm_name, ds_dir, dir, passwd_fname, "httpcert", replica_fqdn) print "Exporting RA certificate" export_ra_pkcs12(dir, dirman_password) print "Copying additional files" copy_files(realm_name, dir) print "Finalizing configuration" save_config(dir, realm_name, host_name, ds_user, domain_name, replica_fqdn) replicafile = "/var/lib/ipa/replica-info-" + replica_fqdn encfile = replicafile+".gpg" print "Packaging replica information into %s" % encfile ipautil.run(["/bin/tar", "cf", replicafile, "-C", top_dir, "realm_info"]) ipautil.encrypt_file(replicafile, encfile, dirman_password, top_dir); remove_file(replicafile) shutil.rmtree(dir) try: if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") main() except SystemExit, e: sys.exit(e) except Exception, e: print "preparation of replica failed: %s" % str(e) message = str(e) for str in traceback.format_tb(sys.exc_info()[2]): message = message + "\n" + str logging.debug(message) print message sys.exit(1)